Week 39, 2019

FairWin | Zcash | Masad | Capture the Coin

This week we will focus on several high profile vulnerabilities in the variety of blockchain projects. FairWin ponzy scheme wins the prize for not only allowing contract owners to steal all the funds, but also failing to protect the contract itself from a front-running attack. Zcash allowed linking of shielded addresses to the IPs of full nodes originating them. A new clipboard stealing malware family targets all major cryptocurrency assets. On the lighter node, Arpox made an awesome write up for the Capture the Coin competition which he absolutely dominated this year!

Vulnerabilities

Malware

  • Masad Stealer: Exfiltrating using Telegram - a Juniper Threat Labs report on a new Windows-only malware family capable of stealing user credentials and replacing cryptocurrency wallet destination addresses to the ones controlled by attackers. It performs the latter task by matching and replacing common cryptocurrency addresses patterns. The malware is unique in its use of Telegram for C2 communications.

    Indicators:

    Bitcoin: 1AtwyYF2TGR969cyRDrR2XFDqSPzwCXKfe
    Monero: 42Mm9gjuUSmPNr7aF1ZbQC6dcTeSi1MgB1Tv41frv1ZRFWLn4wNoLH3LDAGn9Fg2dhJW2VRHTz8Fo9ZAit951D2pDY8ggCR

    https://masadsasad[.]moy.su/base.txt 
    https://zuuse[.]000webhostapp.com/mi.exe
    http://37[.]230.210.84/still/Build.exe
    http://37[.]230.210.84/still/SoranoMiner.exe
    http://187[.]ip-54-36-162.eu/steal.exe
    http://bgtyu73[.]ru/22/Build.exe

  • WannaCryFake Decryptor - a decryption tool for WannaCryFake ransomware. WannaCryFake encrypts files using AES-256 algorithm and demands ransom in Bitcoins.

Events

  • Capture the Coin CTF write-up by Arpox - an awesome write up for all of the challenges by the first place winner - Arpox. I highly recommend you go through his article, if you are interested in learning how to tackle a wide range of blockchain security topics.

That’s all in blockchain threat intelligence this week. Stay safe and patch early!